Skip to content

Update guard hook

Update guard hook #307

Workflow file for this run

---
name: 'Dependency Review'
on: [pull_request]
permissions:
contents: read
jobs:
req-files:
runs-on: ubuntu-latest
outputs:
reqfiles: ${{ steps.get-files.outputs.REQLIST }}
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- id: get-files
run:
echo "REQLIST=$(find . -name 'requirements*.txt' -print | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
dependency-review:
needs: req-files
strategy:
matrix:
python: [ 3.8, 3.9, "3.10" ]
os: [ubuntu-latest]
files: ${{ fromJSON(needs.req-files.outputs.reqfiles) }}
runs-on: ${{ matrix.os }}
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- name: Set up Python ${{ matrix.python }}
uses: actions/setup-python@v4
with:
python-version: ${{ matrix.python }}
- name: Install pip-audit on non-Windows
run: |
pip install "pip-audit>=2.5.3"
- name: 'Dependency Review'
uses: actions/dependency-review-action@v3
- name: 'Pip Audit'
uses: pypa/gh-action-pip-audit@v1.0.6
with:
inputs: ${{ matrix.files }}
rust-files:
runs-on: ubuntu-latest
outputs:
rustfiles: ${{ steps.get-rust-files.outputs.RUSTLIST }}
steps:
- name: 'Checkout Repository'
uses: actions/checkout@v3
- id: get-rust-files
run:
echo "RUSTLIST=$(find . -type f -name "Cargo.toml" -exec dirname "{}" \; | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
rust_security_audit:
runs-on: ubuntu-latest
needs: rust-files
strategy:
matrix:
files: ${{ fromJSON(needs.rust-files.outputs.rustfiles) }}
steps:
- uses: actions/checkout@v3
- run: cd $GITHUB_WORKSPACE && mv ${{ matrix.files }}/* .
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
go_scan:
runs-on: ubuntu-latest
env:
GO111MODULE: on
steps:
- uses: actions/checkout@v3
- name: Run Gosec Security Scanner
uses: securego/gosec@master
with:
args: '-no-fail -fmt sarif -out results.sarif ./...'
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif